aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChris PeBenito <pebenito@ieee.org>2021-09-08 10:53:44 -0400
committerJason Zaman <perfinion@gentoo.org>2021-10-31 15:45:37 -0700
commit9f33ba86aae719abf00b46a26fff3fee5e723719 (patch)
tree028c3fa9d515e75b0a5cc22e9d9f94aca1969a16 /Changelog
parentBump module versions for release. (diff)
downloadhardened-refpolicy-9f33ba86aae719abf00b46a26fff3fee5e723719.tar.gz
hardened-refpolicy-9f33ba86aae719abf00b46a26fff3fee5e723719.tar.bz2
hardened-refpolicy-9f33ba86aae719abf00b46a26fff3fee5e723719.zip
Update Changelog and VERSION for release 2.20210908.
Signed-off-by: Chris PeBenito <pebenito@ieee.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Diffstat (limited to 'Changelog')
-rw-r--r--Changelog147
1 files changed, 147 insertions, 0 deletions
diff --git a/Changelog b/Changelog
index 50cd31fc..fc2635ba 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,150 @@
+* Wed Sep 08 2021 Chris PeBenito <pebenito@ieee.org> - 2.20210908
+Andreas Freimuth (2):
+ Prefer user_fonts_config_t over xdg_config_t
+ Set user_fonts_config_t for conf.d
+
+Chris PeBenito (76):
+ rpc: Move lines.
+ selinux: Add a secure_mode_setbool Boolean.
+ Remove additional unused modules
+ Rules.modular/Rules.monolithic: Fix intdented labeling statement moves.
+ selinux: Change generic Boolean type to boolean_t.
+ selinux: Set regular file for labeled Booleans genfscons.
+ selinux: Add dontaudits when secure mode Booleans are enabled.
+ kernel: Add dontaudits when secure_mode_insmod is enabled.
+ authlogin: Add tunable for allowing shadow access on non-PAM systems.
+ authlogin: Remove redundant rule in auth_domtrans_chk_passwd().
+ Create stale.yml
+ stale.yml: Fix labels with spaces.
+ authlogin: Deprecate auth_domtrans_chk_passwd().
+ init: Add support for systemd StandardInputText.
+ .gitignore: Ignore vscode data dir.
+ .gitignore: Remove duplicate lines.
+ Revert "systemd.if minor fix"
+ systemd: Drop second parameter in systemd_tmpfilesd_managed().
+ staff, sysadm, unprivuser: Move lines.
+ xserver: Move fc lines.
+ radvd: Whitespace fix.
+ virt: Move lines.
+ Bump module versions for release.
+
+Christian Göttsche (1):
+ Use correct interface or template declaration
+
+Dave Sugar (2):
+ systemd.if minor fix
+ Resolve when building monolithic on RHEL7
+
+Fabrice Fontaine (5):
+ policy/modules/services/minidlna.te: make xdg optional
+ policy/modules/services/ftp.te: make ssh optional
+ policy/modules/services/cvs.te: make inetd optional
+ policy/modules/services/ifplugd.te: make netutils optional
+ policy/modules/apps/wireshark.te: make xdg optional
+
+Jonathan Davies (13):
+ staff.te: Allow staff access to the virt stream, needed for when the
+ sockets are access remotely over SSH.
+ logging.if: Added interfaces for watching all and audit logs.
+ roles: Added log watching permissions to secadm and sysadm.
+ irc.te: Allow irc_t access to unix_dgram_socket sendto to allow clients to
+ connect to a SOCKS proxy.
+ screen.if: Added interface to allow executing sock file.
+ irc.te: Allowed client access to screen runtime sock file.
+ dmesg.te: Added files_read_etc_files() as some distros store terminfo
+ files in /etc/.
+ devices.fc: Added missing Xen character files.
+ sysadm.te: Allow sysadm_t to read/write Xen character devices so userspace
+ tooling works.
+ sysnetwork: dhcpc_t: Added corenet_sendrecv_icmp_packets()
+ radvd.te: Added corenet_sendrecv_icmp_packets().
+ dhcp.te: Added corenet_sendrecv_icmp_packets().
+ virt: Defined a virt_common_runtime_t type for the new common/system.token
+ file and added permissions to virtd_t and virtlogd_t.
+
+Kenton Groombridge (36):
+ dovecot, postfix: add missing accesses
+ various: systemd user fixes and additional support
+ systemd, fail2ban: allow fail2ban to watch journal
+ fail2ban: allow reading vm overcommit sysctl
+ usbguard: various fixes
+ redis: allow reading certs
+ rngd: allow reading sysfs
+ getty: various fixes
+ modutils: allow kmod to read src_t symlinks
+ devices, userdomain: dontaudit userdomain setattr on null device nodes
+ spamassassin: allow rspamd to read network sysctls
+ redis: allow reading net and vm overcommit sysctls
+ devices, userdomain: dontaudit userdomain setattr on null device nodes
+ files, init, systemd: various fixes
+ ssh: allow ssh_keygen_t to read localization
+ devicekit: allow devicekit_disk_t to setsched
+ udev: various fixes
+ init: modify interface to allow reading all pipes
+ iptables: allow reading initrc pipes
+ wireguard: allow running iptables
+ bootloader, filesystem: various fixes for grub
+ mount: allow getattr on dos filesystems
+ init, mount: allow systemd to watch utab
+ init, systemd: allow logind to watch utmp
+ logging: allow auditd to use nsswitch
+ logging: allow auditd to getattr on audisp-remote binary
+ systemd: allow systemd-resolved to manage its own sock files
+ systemd: add policy for systemd-sysctl
+ init, udev: various fixes for systemd
+ udev: allow systemd-vconsole-setup to sys_tty_config
+ various: several dontaudits
+ sysadm, systemd: various fixes
+ authlogin: add new type for pwd.lock and others
+ init: allow systemd to rw shadow lock files
+ filesystem, init: allow systemd to create pstore dirs
+ bootloader, devices: dontaudit grub writing on legacy efi variables
+
+Krzysztof Nowicki (15):
+ Fix interface naming convention (plural predicates)
+ Allow systemd to relabel startup-important directories
+ Allow execution of shell-scripted systemd generators
+ Also grant directory permissions in sysnet_manage_config
+ Allow use of systemd UNIX sockets created at initrd execution
+ Fix systemd-journal-flush service
+ Allow systemd-tmpfilesd populating of /var/lib/dbus
+ When using systemd_tmpfilesd_managed also grant directory permissions
+ Enable factory directory support in systemd-tmpfilesd
+ Allow systemd-tmpfilesd to relabel generic files inside /etc
+ Allow systemd-tmpfilesd to set attributes of /var/lock
+ Mark lvm_lock_t as systemd_tmpfilesd-managed
+ Allow systemd-tmpfilesd handle faillog directory
+ Fix setting-up sandbox environment for systemd-networkd
+ Allow systemd-tmpfilesd to access nsswitch information
+
+Markus Linnala (13):
+ policy: init: there is no enabled_mls, it is enable_mls
+ policy: files: files_spool_filetrans: doc: change param from file to
+ file_type
+ policy devices: dev_filetrans: doc: change param from file to file_type
+ policy gnome: gnome_dbus_chat_gconfd: doc: does not have 1st param of
+ role_prefix
+ policy chromium: chromium_tmp_filetrans: doc: add missing 2nd param
+ documentation
+ policy gpg: doc: add documents for all *filterans parameters
+ policy seunshare: seunshare_role: parameters usage partially mixed
+ policy kismet: kismer_role: parameter order mixed in kismet_run
+ policy: interfaces: doc: indent param blocks consistently
+ policy avahi: avahi_filetrans_pid: doc: add missing params
+ policy: xserver: xserver_dbus_chat: fix require
+ policy:ssh: ssh_server_template: fix require
+ policy: files: files_get_etc_unit_status/files_{start,stop}_etc_service:
+ fix require
+
+Russell Coker (1):
+ blkmapd
+
+Xiongwei Song (1):
+ Add ubifs to filesystem policy
+
+Yi Zhao (1):
+ roles: move dbus_role_template to userdom_common_user_template
+
* Wed Feb 03 2021 Chris PeBenito <pebenito@ieee.org> - 2.20210203
(GalaxyMaster) (1):
added policy for systemd-socket-proxyd